[OpenSER-Users] Need some help with DNS blacklist feature

[Tim Madorma]

Hi,

I'm interested in using DNS blacklisting to stop transmitting SIP
requests towards UAS endpoints that are non-responsive. I am on
version 1.2, but I can't get it to work properly.

Here is what I am trying to do:

1) I get a message from a UAC that needs to be sent towards 1 of 4
destination UAS endpoints.

2) I setup the OpenSER to perform an SRV lookup which returns a record
that has four A records associated with it. It looks as follows:

;; QUESTION SECTION:
;_sip._udp.aimcidfilter.com.    IN      SRV

;; ANSWER SECTION:
_sip._udp.aimcidfilter.com. 60  IN      SRV     1 100 5061 spinner.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     2 100 5061 bart.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     3 50 5061 homer.eng.rr.com.
_sip._udp.aimcidfilter.com. 60  IN      SRV     3 50 5061 crunch.eng.rr.com.


3) After fetching the SRV record, the OpenSER sees that
spinner.eng.rr.com has a priority of 1 so it does a gethostbyname
which performs a DNS A record
lookup and gets a response for spinner.eng.rr.com.

4) When the OpenSER sends towards spinner.eng.rr.com, it does not get
a SIP response from it. *It is at this point I was hoping that OpenSER
would blacklist this UAS endpoint*, but for each incoming request that
is received by the OpenSER, it continues to resolve the domain in the
same manner and sends towards spinner.eng.rr.com even though there is
no SIP response.

Is what I am trying to do in accordance with how OpenSER blacklisting
is supposed to work?

I am trying to have OpenSER send towards bart.eng.rr.com when
spinner.eng.rr.com is not responding or is not reachable.

My configuration is as below. Note that I have even tried to disable
sending towards spinner.eng.rr.com by manually adding a dst_blacklist
entry - that doesn't even seem to work for me.. Am I doing something
wrong?

Here is my output from openserctl

# openserctl fifo list_blacklists
200 OK
List:: net_filter owner=13 flags=1
       Rule::  flags=0
               IP:: 65.185.233.55
               Mask:: 255.255.255.255
               Proto:: 0
               Port:: 5061
List:: dns owner=17 flags=6


---------------
#
# Openser.cfg
# ----------- global configuration parameters ------------------------

debug=5            # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no    # (cmd line: -E)

maxbuffer=1048576

check_via=no    # (cmd. line: -v)
dns=no          # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#reply_to_via=1
children=4
log_facility=LOG_LOCAL4
dns_use_search_list=no
dns_servers_no=2
user="sipproxy"
group="sipproxy"
disable_dns_blacklist=no
disable_dns_failover=no
dns_try_ipv6=no
dns_retr_time=2
dns_retr_no=2
dst_blacklist = net_filter:{ ( any , 65.185.233.55, 5061 , "" )} #
block towards spinner

listen=udp:65.185.232.62:5060

alias=65.185.233.104:5060

# LOAD OpenSER MODULES
mpath="/sw/lib/openser/modules/"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "acc.so"
loadmodule "mi_fifo.so"
loadmodule "xlog.so"

# ----------------- setting module-specific parameters ---------------

# -- usrloc params --

modparam("usrloc", "db_mode",   0)

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# -------------------------  request routing logic -------------------
modparam("acc", "log_level", 2)
modparam("acc", "log_flag", 1)
modparam("acc","report_cancels", 1)
modparam("acc","failed_transaction_flag", 1)
modparam("acc","log_extra", "req_uri=$rU")
modparam("tm", "fr_timer", 5)
modparam("tm","fr_inv_timer",5)
modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")

# main routing logic

route{
       # initial sanity checks -- messages with
       # max_forwards==0, or excessively long requests
       if (!mf_process_maxfwd_header("10")) {
               sl_send_reply("483","Too Many Hops");
               exit;
       };

       if (msg:len >=  2048 ) {
               sl_send_reply("513", "Message too big");
               exit;
       };

       # we record-route all messages -- to make sure that
       # subsequent messages will go through our proxy; that's
       # particularly good if upstream and downstream entities
       # use different transport protocol
       if (!method=="REGISTER")
               record_route();

       # subsequent messages within a dialog should take the
       # path determined by record-routing
       if (loose_route()) {
               # mark routing logic in request
               append_hf("P-hint: rr-enforced\r\n");
               route(1);
       };

       if (!uri==myself) {
               route(1);
       };

       if (method=="OPTIONS") {
           sl_send_reply("200", "OK");
           exit;
       }

       if (uri =~ "^sip:feature_fs@" || method=="NOTIFY") {
           xlog("L_DBG", "TWC: received incoming message:\n <$mb>\n");
           seturi("sip:feature_fs at aimcidfilter.com");
           setflag(1);
           route(1);
       }  else {
         sl_send_reply("404", "Not Found");
       };
}

#####################################################
# Default Message Handler
#####################################################
route[1] {

       # Send it out now; use stateful forwarding as it works reliably
       # even for UDP2TCP
       if (!t_relay()) {
               sl_reply_error();
       };
       exit;
}